Senate File 2349 - Reprinted SENATE FILE 2349 BY COMMITTEE ON COMMERCE (SUCCESSOR TO SSB 3182) (As Amended and Passed by the Senate March 11, 2020 ) A BILL FOR An Act relating to the office of the chief information officer, 1 including procurement preferences and a report detailing 2 state information technology assets. 3 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF IOWA: 4 SF 2349 (2) 88 ja/rn

S.F. 2349 Section 1. Section 8B.1, Code 2020, is amended by adding the 1 following new subsection: 2 NEW SUBSECTION . 2A. “Cloud computing” means the same as 3 defined in the United States national institute of standards 4 and technology’s special publication 800-145. 5 Sec. 2. Section 8B.9, subsection 6, Code 2020, is amended 6 to read as follows: 7 6. Beginning October 1, 2019, a quarterly report regarding 8 the status of technology upgrades or enhancements for state 9 agencies, submitted to the general assembly and to the 10 chairpersons and ranking members of the senate and house 11 committees on appropriations. The quarterly report shall 12 also include a listing of state agencies coordinating or 13 working with the office , and a listing of state agencies not 14 coordinating or working with the office , and the information 15 required by section 8B.24, subsection 5A, paragraph “b” . 16 Sec. 3. Section 8B.24, Code 2020, is amended by adding the 17 following new subsection: 18 NEW SUBSECTION . 5A. a. The office shall, when feasible, 19 procure from providers that meet or exceed applicable state 20 and federal laws, regulations, and standards for information 21 technology, third-party cloud computing solutions and other 22 information technology and related services that are not hosted 23 on premises by the state. 24 b. If the office determines it is not feasible to procure 25 third-party cloud computing solutions or other information 26 technology and related services pursuant to paragraph “a” , and 27 if on-premises technology upgrades or new applications to be 28 housed on-premises are proposed, the office shall include all 29 of the following in the report required pursuant to section 30 8B.9, subsection 6: 31 (1) An explanation as to why a cloud computing deployment 32 was not feasible. 33 (2) Whether the application can be deployed using a hybrid 34 or containerized approach to minimize on-premise costs. 35 -1- SF 2349 (2) 88 ja/rn 1/ 3

S.F. 2349 (3) Compliance frameworks that require the application to 1 be hosted on-premises. 2 c. The office shall contract with multiple third-party 3 commercial cloud computing service providers. 4 d. The control and ownership of state data stored with cloud 5 computing service providers shall remain with the state. The 6 office shall ensure the portability of state data stored with 7 cloud computing service providers. 8 Sec. 4. Section 8B.24, subsection 6, Code 2020, is amended 9 to read as follows: 10 6. The office shall adopt rules pursuant to chapter 17A to 11 implement the procurement methods and procedures provided for 12 in subsections 2 through 5 5A . 13 Sec. 5. INVENTORY OF INFORMATION TECHNOLOGY ASSETS, CURRENT 14 CLOUD COMPUTING ADOPTION, AND CLOUD COMPUTING MIGRATION PLAN 15 —— REPORT. By November 1, 2020, the office of the chief 16 information officer, in collaboration with other state agencies 17 and departments, shall provide a report to the general assembly 18 that includes all of the following: 19 1. An inventory of all state information technology 20 applications, and the percentage of the information technology 21 applications that are cloud-based applications. 22 2. Recommendations regarding state information technology 23 applications that should migrate to cloud-based applications. 24 Each such recommendation shall include a description of 25 workloads and information technology applications that are best 26 suited to migrate to cloud-based applications given all of the 27 following considerations: 28 a. Whether the information technology application has 29 underlying storage, networks, or infrastructure that supports 30 another information technology application, and whether the 31 information technology application is supported by another 32 information technology application. 33 b. How critical the information technology application is 34 to the mission of the state agency or department. 35 -2- SF 2349 (2) 88 ja/rn 2/ 3

S.F. 2349 c. The difficulty of migrating the information technology 1 application to a cloud-based application. 2 d. The total cost of ownership of the target environment in 3 which the information technology application shall operate if 4 migrated to a cloud-based application. 5 -3- SF 2349 (2) 88 ja/rn 3/ 3